Game of Registrars: an Empirical Analysis of Post-Expiration Domain

Home , Domain name, Domain name registrar, Domain parking, Domain tasting, Dynadot, ENom

Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers Tobias Lauinger, Northeastern University; Abdelberi Chaabane, Nokia Bell Labs; Ahmet Salih Buyukkayhan, Northeastern University; Kaan Onarlioglu, www.onarlioglu.com; William Robertson, Northeastern University https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/lauinger

This paper is included in the Proceedings of the 26th USENIX Security Symposium August 16–18, 2017 • Vancouver, BC, Canada ISBN 978-1-931971-40-9

Open access to the Proceedings of the 26th USENIX Security Symposium is sponsored by USENIX Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers

Tobias Lauinger Abdelberi Chaabane Ahmet Salih Buyukkayhan Northeastern University Nokia Bell Labs Northeastern University Kaan Onarlioglu William Robertson www.onarlioglu.com Northeastern University

Abstract zones of authority or trust. For example, controlling a domain name is often equivalent to gaining access to Every day, hundreds of thousands of Internet domain additional resources [44]. An assumption common to all names are abandoned by their owners and become avail- these approaches is that domain ownership is constant and able for re-registration. Yet, there appears to be enough perpetual. However, in actuality this is not true as domain residual value and demand from domain speculators to name registrations must be renewed and paid for on a give rise to a highly competitive ecosystem of drop-catch yearly basis. In fact, hundreds of thousands of expired services that race to be the first to re-register potentially domain names are deleted each day (e.g., over 75 k per desirable domain names in the very instant the old re- day in the popular com zone alone [24]). gistration is deleted. To pre-empt the competitive (and uncertain) race to re-registration, some registrars sell their Once a domain name has been deleted, it can be re- own customers’ expired domains pre-release, that is, even registered by any interested party on a first-come, first- before the names are returned to general availability. served basis. Schlamp et al. [44] showed how such re- These practices are not without controversy, and can registrations can be used to take over protected resources have serious security consequences. In this paper, we associated with these domains. Nikiforakis et al. [42] present an empirical analysis of these two kinds of post- discussed websites still attempting to include JavaScript expiration domain ownership changes.We find that 10 % code from third-party domains long after they had expired, allowing attackers to inject code into these sites. Lever et of all com domains are re-registered on the same day as al. [33] measured more formally how often re-registered their old registration is deleted. In the case of org, over 50 % of re-registrations on the deletion day occur during domains were associated with malicious behaviour. How- only 30 s. Furthermore, drop-catch services control over ever, by focussing on certain kinds of risk or malice, these 75 % of accredited domain registrars and cause more than studies do not illustrate the full scope of the issue. 80 % of domain creation attempts, but represent at most We argue that the problem goes beyond specific cases 9.5 % of successful domain creations. These findings of abuse related to re-registered domains. It also in- highlight a significant demand for expired domains, and cludes the much broader and more frequent category of hint at highly competitive re-registrations. undesirable behaviour akin to topics thoroughly studied Our work sheds light on various questionable practices by the security community, such as spam [32], search in an opaque ecosystem. The implications go beyond the engine poisoning [49], ISPs hijacking NXDOMAIN annoyance of websites turned into “Internet graffiti” [26], DNS responses [50], domain parking [2, 48], typo- as domain ownership changes have the potential to cir- squatting [1, 37, 47], and reuse of social media profile cumvent established security mechanisms. names [35, 36]. Re-registered domains appear to be pre- dominantly used for speculation and monetisation purposes, taking advantage of the residual traffic still reach- 1 Introduction ing the domains. Users who follow links from third-party websites or type in an address that they remember are Domain names are a key part of linking to content on taken to a new incarnation of the site that can be arbitrarily the Web, and they have an equally central role in naming different from the service that they actually wish to visit. services on the Internet, such as in email addresses. A In Section 4.4, we show that a majority of re-registered large number of security mechanisms and protocols have domains are parked and host nothing but advertisements. been devised that rely on domains to designate distinct ICANN called this undesirable practice “a form of Inter-

USENIX Association 26th USENIX Security Symposium 865 net graffiti” [26]; domain parking is also known to pose their own systems in an “optimal strategical location” [4] higher-than-average risks to visitors [48]. physically close to the registry; these optimisations re- We believe it is important for the security community semble high-frequency trading in the financial industry. to better understand the big picture of domain ownership Drop-catch services are not without controversy. Some transfers and the implications for users, Internet abuse, registries actively discourage the practice (e.g., registrars and defences thereof. This paper provides a quantitative are penalised for failed uk registration requests [8]), while analysis of the “recycling” of expired domain names. We others at least implicitly encourage or facilitate it (e.g., show that this is a frequent phenomenon, causing a range Verisign makes available to its registrars lists of com and of negative side effects as companies compete with each net domains that are about to be deleted). other while catering to the demand for expired domains. The extent and process of the drop are publicly known There are four distinct scenarios in which domains only in abstract terms as each drop-catch service aims to can change owners: When the current owner sells to a maintain their competitive position. In this paper, we con- new owner while the domain registration is active; when duct the first measurement study of the drop and provide the domain’s sponsoring registrar sells the domain to a as much detail as is possible from an outside vantage new owner while the domain registration is expired but point. Furthermore, we characterise the extent and com- before control of the domain is returned to the registry petitiveness of drop-catch re-registrations on “day 0,” that (pre-release); as an instant re-registration in the very mo- is, the day an expired domain name is deleted. ment the old registration is deleted, using a drop-catch We find that a surprisingly large fraction of deleted do- service; or as a conventional domain registration at any mains (10 % of com) is re-registered on the same day. In later time using any domain name registrar. Regular do- the case of org, the drop lasts only about 30 seconds, main sales are authorised by the owner of the domain but accounts for more than half of all same-day re- and therefore less of a concern from an abuse perspective. registrations of deleted domains. These results show that Medium to long-term domain re-registrations have been re-registrations are frequent and highly competitive. Des- studied before [29, 22]. Pre-release and drop-catch do- pite the significantly higher price, there is a large demand main ownership transfers, however, are barely mentioned for drop-catch domains. In fact, there seems to be an in the literature, and we are not aware of any systematic arms race between drop-catch services that has been in- measurement or quantification of these phenomena. tensifying recently, with the Top 3 now controlling 75 % There is an entire ecosystem of services attempting of accredited registrars. Drop-catch causes at least 80 % to monetise and profit from expired domains. Many do- of domain creation attempts, yet only a tiny fraction are main registrars such as GoDaddy auction off their own eventually successful. The higher prices paid for drop- customers’ expired domains (without their collaboration); catch domains suggest that their new owners consider when sold, these domains maintain their current registra- them to be valuable; however, in our cursory analysis of tion and are simply made over to the new owner. From a domain uses, we show that most re-registered drop-catch security perspective, such pre-release domains are prob- domains contain nothing but advertisements and parking lematic because they retain their original creation dates pages, suggesting monetisation through residual traffic and exhibit only very limited cues as to the new owner- and speculative re-registrations. Our findings raise the ship. For instance, pre-release domains subvert proactive question of whether these uses justify the risks associated creation-time domain blacklisting mechanisms such as with domain ownership changes without the explicit con- Predator [21], which is related to a similar technique used sent of the prior registrant; they furthermore illustrate that by the commercial Spamhaus blacklist, because the own- security mechanisms must account for domain deletions ership change does not involve a new registration. This and re-registrations as a frequent phenomenon (e.g., more example illustrates the need for a thorough study of how than 20 % of all com domains are deleted each year, and commonly pre-release domains are available and sold. out of those, 10 % are re-registered immediately by a new Once expired domains are deleted, they can be re- owner, and many more at a later time). registered on a first-come, first-served basis, and these Our work makes the following contributions: re-registrations can be quite competitive. So-called drop- catch services race to be the first to re-register expired • We call attention to widespread “recycling” of used domain names in the very moment they become avail- domains despite relatively high prices and measure able. During a daily phenomenon that is called “the drop,” the extent of the issue as a whole, instead of simply they flood the registry’s systems with registration requests, focussing on specific types of detected abuse. something previously described as “the world’s largest • We describe little-known ways domain ownership legal denial of service attack” [8]. In order to gain an can change, and are the first to quantify the secretive advantage over their competition, drop-catch services ecosystem of drop-catch services and their daily race reverse-engineer details of the drop [8, 28] and place to take over deleted domains. We use a variety of

866 26th USENIX Security Symposium USENIX Association public data sources to confirm the existence of a erwise requested by the owner of the expired domain, phenomenon so far described only anecdotally. registrars typically delete it shortly before the end of the • We show that same-day domain takeovers are fre- 45-day auto-renew grace period in order not to incur the quent and competitive, using a full sample of all registry’s renewal fee. Such domains enter a 30-day re- domains deleted from four popular zones during a demption period during which the domain is deactivated four-week period in 2016 (over 4 million domains). and “locked” by the registry in the sense that the only • We quantify the inordinate impact that drop-catch allowed modification is renewal by the original owner, services have on the domain registration ecosystem, for an increased fee. Domains not recovered during the accounting for over 75 % of accredited registrars and redemption period transition into the pending delete state, over 80 % of domain creation attempts, but at most which means that these registrations will be deleted after 9.5 % of successful domain creations. 5 days and the domains can be re-registered by any interested party on a first-come, first-served basis. • We discuss how certain registrars exploit grace peri- Figure2 summarises a domain’s most typical expiration ods to minimise their financial risk when attempt- phases on a timeline. Expired domains can change owners ing to sell pre-release domains or proactively re- during two points in time: Pre-release domains can be registered drop-catch domains, similar to the now sold and transferred to a new owner during the auto-renew banned practice of domain tasting [6, 27]. grace period; pending delete domains can be re-registered by a drop-catch service directly after deletion, or manually 2 Background & Related Work at any later point, all provided that the domain has not already changed owners beforehand. Names in the Domain Name System (DNS) are structured hierarchically. Top-level domains (TLDs) such as com or net are created by the Internet Corporation for Assigned 2.2 Pre-Release Domain Sales Names and Numbers (ICANN) and then delegated for During the auto-renew grace period, even though the ex- day-to-day operation to a registry such as Verisign. Each piration date has already passed, registrars maintain con- registry maintains a directory of the registered second- trol over the domain. ICANN and the registries appear level names and their authoritative name servers, called to give registrars some flexibility in how they manage a DNS zone. Registries delegate billing and customer this period, with the result that different registrars imple- support to ICANN-accredited registrars, companies such ment a range of varying policies that may or may not as GoDaddy or Gandi, which sell domain names to their be favourable to the registrant of the expiring domain. customers. The Internet Assigned Numbers Authority Some registrars such as Gandi give their customers the (IANA) maintains a list of all accredited registrars and full 45 days for late renewals without additional fees [15], their globally unique IDs [23]. Details about the activ- whereas other registrars begin charging increased late re- ity of these registrars in each zone are available in the newal fees or attempt to sell the domain to a new owner. monthly reports that registries must file with ICANN, and GoDaddy, for example, begins charging customers an in- that are made public after a three-month delay [24]. creased late renewal fee on the 19th day after expiration, and puts the domain name up for auction beginning on th 2.1 Domain Lifecycle the 26 day [17]. While GoDaddy operates their own domain name auction service, other registrars such as Domains are registered for a period of one or more years. Moniker or Tucows partner with third-party platforms If a domain is not renewed before its expiration date, it such as SnapNames [46]. These auctions allow any in- goes through a series of phases that permit late renewals terested party to bid for expiring names and potentially before the domain is ultimately deleted. Figure1 shows a acquire them, subject to the original registrant not exer- simplified domain state diagramme taken from [29]. For cising their right to renew the domain. If a domain is sold, the purposes of this paper, it is sufficient to know that the new owner pays for the renewal as well as auction domains not explicitly renewed or deleted before their fees and the sponsoring registrar changes the domain’s expiration date are automatically renewed by the registry, ownership information to the new owner. The domain giving the registrar a 45-day auto-renew grace period to remains under the management of the registrar and keeps undo this automatic renewal before becoming liable for its original metadata such as the registration creation date. the renewal fees. The details of how this grace period From a domain management point of view, this process is affects the domain and its original owner depend on each the same as what would happen if the previous owner had registrar’s policies. Typically, registrars either deactiv- sold the domain to a new owner, except that the previous ate the domain or point it to a parking site to alert the owner does not in fact participate in or benefit from the owner that the domain can still be renewed. Unless oth- pre-release sale, since all proceeds go to the registrar and

USENIX Association 26th USENIX Security Symposium 867 Domain after 5 days Pending Not Registered Delete

restore create delete after 30 days after 45 days

Add after 5 days past date of Auto-Renew Registered delete Redemption Grace Period expiration Grace Period Period

renew* renew* delete

Figure 1: Diagramme from [29] showing domain states and transitions due to commands issued by the registrar, or automatic transitions if no command is issued before the deadline. If a domain is not deleted or renewed by the registrar before the expiration date, the registry automatically renews it for a year. *Additional states for renew and domain transfers omitted.

listed as listed as expiration pre-release pending delete domain when exactly it will “drop” and place the re-registration date deleted sale re-registration t request in a timely manner. For popular domains, it is auto-renew grace period redemption period pending delete (unregistered) not very promising to attempt to do so manually, since (up to 45 days) (30 days) (5 days) a number of drop-catch services specialise in automatic Figure 2: Timeline of domain expiration with a pre-release sale oppor- re-registration of deleted domains in the very moment tunity during the auto-renew grace period and a re-registration oppor- they become available. These services accept backorders tunity after the domain has been deleted (drop-catch re-registrations occur instantly after deletion). from customers who are interested in an already registered domain and attempt to re-register the domain if it is ever deleted. Around the deletion window, drop-catch services auction platform. The entire auction process takes place flood the registry with registration requests, most of which during the duration of the auto-renew grace period when can be expected to fail because the domain has either registrars hold the domains for free. Unsold domains can not been deleted yet, or it has already been re-registered be deleted before they incur any cost at the registry, which by a competitor. Drop-catch services attempt to reverse means that registrars run a negligible financial risk when engineer the registry’s deletion process in order to use they attempt to sell their customers’ expired domains. their resources more efficiently and gain an advantage over their competition. Furthermore, drop-catch services 2.3 Drop-Catch Domain Re-Registrations are said to use multiple (rate-limited) registrar access credentials and place their servers physically close to the While the general process of domain expiration depicted registry’s systems [4, 8, 28], similar to common practices in Figure1 is very similar for the generic TLDs, the exact in high frequency trading in the financial industry. procedure of domain deletion at the end of the pending In contrast to pre-release domain sales, drop-catch ser- delete period may differ from registry to registry. In vices do not control the domain when an order is placed the following description, we focus on the com and net and cannot guarantee that they will be able to obtain it. zones operated by Verisign because they are the most The starting price of a drop-catch domain can be up to popular and have most details available in various online ten times the regular annual registration fee. If a drop- sources [8, 28, 13]. According to these sources, each day catch service successfully obtains a domain and multiple Verisign makes available to its registrars a list of all do- customers had placed an order, the winner is typically mains that just entered the pending delete period and will determined in a three-day private auction. Since such do- become available for re-registration five days later, along mains were deleted (even if only for fractions of a second), with popularity data derived from traffic to the zone’s their metadata looks like that of a newly registered do- authoritative DNS servers. Deletion of domains follows a main, without any trace of the prior registration instance. somewhat predictable procedure that is also called “the drop.” Beginning each day at 2pm ET, Verisign’s systems 2.4 Domain Tasting iterate over the “dropping” domain names in a certain order and change their status from registered to available Figure1 shows that newly registered domains start in a one by one, with the whole process lasting up to an hour. five-day add grace period during which the domain re- Since deleted domains can be re-registered on a first- gistration can be cancelled at no cost. While intended to come, first-served basis, to maximise the probability of address accidental domain registrations such as typing er- “catching” a sought-after domain, it is essential to predict rors, this grace period led to wide-spread abuse, so-called

868 26th USENIX Security Symposium USENIX Association domain tasting, which consists in domain speculators paper, we focus on immediate drop-catch re-registrations, tentatively registering a domain with the sole purpose of and we also characterise related phenomena such as pre- testing how much traffic it would receive, and deleting the release sales. We are not aware of any prior work that has domain if the observed traffic did not warrant the regis- studied the pre-release and drop-catch ecosystems. tration fee. In related work, Coull et al. [6] showed that domain tasting accounted for 76 % of all daily domain creations. After 2008/2009, when ICANN implemented 3 Methodology policies penalising registrars for excessive tasting, the To study post-expiration ownership changes of domain frequency of the phenomenon declined by 99.7 % [27]. names, we need to know which domains are available for We will show in Section 4.6 that in a fashion similar to pre-release sale or drop-catch re-registration, and track pre-release sales, at least one drop-catch service makes their status to discover the outcome. use of domain tasting to tentatively register domain names and delete them at no cost when it cannot find a buyer. 3.1 Domain Availability Lists 2.5 Related Work Most pre-release and drop-catch services publish lists of imminently available domains so that prospective buyers Prior research in the area of domain registrations includes can scout them for interesting inventory. We downloaded the work on registration intent by Halvorson et al. [18, these lists daily as the starting point for our analysis. 19, 20]. Schlamp et al. [44] describe an attack to take over protected resources by re-registering the expired domains of email addresses. Nikiforakis et al. [42] study 3.1.1 Pre-Release inclusions of third-party JavaScript code in websites and We downloaded pre-release lists from four large services find dependencies loaded from expired domain names, that sell expiring domains: Dynadot [14], GoDaddy [16], which could be re-registered for code injection attacks. NameJet [40], and SnapNames [45]. These lists contain Attackers have also been reported to re-register expired the names of available pre-release domains along with domains that built up a good reputation [5, 22, 33]. the date when each auction will close, and sometimes Although unrelated to domains, Mariconti et al. [35, also metadata such as the current bid, the number of par- 36] show that similar risks of trust abuse exist on social ticipants in the auction, the age of the domain, or traffic networks that allow abandoned profile names to be reused. data collected by the registrar from a post-expiration park- Two works present a more systematic examination of ing page that can be used to valuate the domain. While domain re-registrations: Hao et al. [22] investigate char- Dynadot and GoDaddy are primarily registrars and ap- acteristic registration patterns of spam domains and find pear to re-sell their own customers’ expired domains, that among re-registered domains, those later used for other services partner with third-party registrars to offer spamming tend to be registered faster than non-malicious their expiring domain inventory (e.g., the list of partner domains. They then use several registration-time fea- registrars of SnapNames includes Moniker and Tucows). tures to predict which domains are likely to be used for malicious purposes [21]. Lever et al. [33] analyse the 3.1.2 Pending Delete maliciousness of domains before and after re-registration with a focus on when malicious behaviour occurs, not Lists of domains in the pending delete state are avail- when or why a domain is re-registered. In several case able from drop-catch services such as Namepal Back- studies, they recount concrete security issues that arose orders [3], Domain Graveyard [9], Domain Monster [10], from expired (and re-registered) domain names of name DropCatch [11], Dynadot [14], NameJet [40], Pool [43], servers, email addresses, software repositories, and spam and SnapNames [45]. These lists contain the deletion operations. To automatically detect domain ownership date of each domain, that is, when the domain can be re- changes, the authors propose Alembic, an algorithm based registered, and sometimes also traffic data derived from on DNS-related features. It is unclear whether pre-release the zone’s DNS lookup traffic. domain sales exhibit DNS signals strong enough to be de- A practical complication when using these lists is that tected, since such sales might result in only minor changes the time zones of dates are sometimes not explicitly stated, to the DNS configuration when domains continue to be and the listed dates sometimes refer to the last time to maintained by the same registrar or hosting company. place an order, whereas in other cases they refer to the ac- In previous work [29], we studied the expiration pro- tual deletion date. In contrast to pre-release lists, pending cess of domain names, long-term re-registration probabil- delete lists do not contain exclusive inventory and should ities, and ambiguities in WHOIS data. Our analysis at the therefore overlap among all services. (Some lists differed time was oblivious to the nature of re-registrations. In this by around one hundred names per day; we noticed that

USENIX Association 26th USENIX Security Symposium 869 some services removed names containing trademarks or Zone com net org biz name punycode domains whereas other services did not.) We Pre-Release Domains 1.2 M 135 k 116 k 21 k 182 use the overlap to convert all lists into a common time min/day 23.8 k 2.5 k 2.1 k 388 2 median/day 43.5 k 4.9 k 4 k 710 7 convention as follows: As a preliminary reference, we max/day 53.7 k 6.7 k 6.4 k 1.1 k 15 use Dynadot’s list, which is the only one that declares Sales/Late Renewals 70.6 k 5.9 k 4.8 k 475 6 its timestamps as UTC, and is also the most complete list. Separately for each other list, we extract the dates Table 1: The number of domains on all pre-release lists during our associated with each domain found in both that list and 28-day measurement period along with the daily min/median/max, and total domains not deleted (either sold by platform or renewed by owner). Dynadot’s list, and compute the distribution of the time difference. We use the mode of this distribution as each list’s time offset from Dynadot. Once we have adjusted Zone com net org biz name all lists, we observe that they agree on the same date for Pending Delete Domains 2.1 M 255 k 169 k 51 k − min/day 61.6 k 7.4 k 4.8 k 1.2 k − 99.99 % of com and net domains and around 80 % of org median/day 76.4 k 9.2 k 6.1 k 1.7 k − and biz domains, with the vast majority of disagreements max/day 92.1 k 11.2 k 7.5 k 2.6 k − involving only a one-day difference. We hypothesise All Observed Re-Registr. 334.3 k 33.5 k 15.5 k 3.3 k − “Day 0” Re-Registrations 215.6 k 16.9 k 7.9 k 0.9 k − that the qualitative difference between com/net and the other zones may be due to different ways of collabora- Table 2: The number of domains on all pending delete lists during our tion between the registries and the drop-catch services; 28-day measurement period along with the daily min/median/max. Note Verisign manages both com and net and is known to the strong daily variation. Our observations of overall re-registrations make lists of pending delete domains available to regis- are right censored, whereas deletion day re-registrations are not. trars, whereas we could not find any public information regarding the other registries’ policies. To resolve any 3.2.1 MAIN: Pre-Release & Drop-Catch Domains disagreement among the lists about the deletion date of a domain, we apply a majority voting algorithm and pick During a four-week period starting in late July 2016, each the date declared by most of the lists. day we began tracking all com, net, org, biz and name domains appearing on the pre-release and pending delete lists mentioned above with an end date three days in the 3.2 Domain Status Tracking future. That is, we requested the WHOIS records of each pre-release and pending delete domain three days before The domain lists compiled by pre-release and drop-catch the end of the auction or the deletion date, respectively. services alert us about new domains becoming available, This first WHOIS lookup allowed us to extract domain but they do not contain the outcome, that is, whether a pre- metadata corresponding to the expiring registration, such release domain was sold to a new owner, or if a deleted as the original domain creation date, the expiration date, domain has been re-registered. We obtain this information and any status flags corresponding to expiration states from the respective registry’s WHOIS database, which is (Figure1) that may be set, such as pending delete. We the official public source for domain registration metadata. then repeated each lookup every 2 weeks. The frequency Since WHOIS databases contain only current data but no was chosen low enough to include every listed domain history, we need to extract data periodically in order to while not exhausting our limited budget of lookups, but detect changes. Furthermore, while access to WHOIS high enough to observe transient status changes such as databases is public, it is also rate limited, which bounds the 30-day redemption period. After the end of the four- the number of domains that we can track. We conducted week period, we stopped adding new domains from the two experiments, each designed to measure a specific lists, but we continued tracking the previous sample until aspect of domain re-registrations: mid-December. For our lookups, we respected conser- vative delays between queries (2 s for com, net, biz and name, and 30 s for org), and we were able to carry out • pre-release sales and drop-catch re-registrations over our lookups without being blocked. Overall, we tracked a four-week period in 2016, our MAIN data set, and more than four million domains, as shown in Table1 for • domain tasting in drop-catch re-registrations during pre-release, and in Table2 for pending delete domains. one week in 2017 (TASTING). Recall that pre-release domain sales take place during the auto-renew grace period so that registrars can delete A common principle of both experiments was that we the domains without incurring any cost if they do not sell. sourced new domains from the daily lists during the seed Since the length of this period is no more than 45 days, time, and we periodically requested WHOIS records for we can conclude that a sale or renewal has taken place if these known domains during the tracking time. the WHOIS status at least 45 days after the initial lookup

870 26th USENIX Security Symposium USENIX Association shows that (1) the domain still exists, (2) the domain is Zone com net org biz name not in a redemption period or pending delete state (it Total Domains (Aug’16) 131 M 16.1 M 11.3 M 2.3 M 166 k is not being deleted), and (3) the domain’s records still added (per day) 81.3 k 8.7 k 5.4 k 1.3 k 26 deleted (per day) 72.7 k 8.8 k 6.5 k 1.5 k 66 have the same creation date as in the first lookup (the “Day 0” Re-Reg. Adds 9.5 % 7.0 % 5.2 % 2.4 % − domain has not been re-registered). Note that we do not (mean, per day)7 .7 k 605 280 32 − possess registrant information for com and net domains due to their thin WHOIS model. In these zones, registrant Table 3: The total number of domains registered in August 2016 as well information is not available from the registry, but must be as the daily mean of domains added and deleted in July and August 2016 according to the ICANN registry reports. Deletion day re-registrations requested from the domain’s sponsoring registrar. Prior (as determined in our measurements) are given both in absolute terms work by Liu et al. found that registrars’ Whois servers and as a fraction of daily domain creations. They represent an upper typically have much lower, and usually undisclosed rate bound on successful drop-catch domain creations. limits, which makes it challenging to extract registrant data at scale [34]. Furthermore, the authors described a growing number of domains hiding their true ownership 3.3 Limitations through privacy protection services, over 20 % in 2014. Our analysis relies on domain lists to discover expiring For the purposes of this work, we decided that the benefits and deleting domains. While the high overlap among of ownership data did not justify the effort needed to pending delete lists of competing services makes us con- collect it. As a result, we cannot distinguish pre-release fident that their union represents all com, net, org and sales from domain owners using the very last opportunity biz domains that are about to be deleted, our pre-release to renew their expired domain, since both cases result in lists do not cover the full inventory of expiring domains the domain remaining active. However, we believe that available for purchase due to the fragmented ecosystem. only a small fraction corresponds to last-minute renewals However, we believe that our pre-release lists cover a because registrars contact their customers many weeks majority of the available inventory as we source our data before expired domains go to auction and disincentivise from the most popular platforms. According to our results late renewals with higher fees, as discussed in Section 2.2. in Section 4.1, the vast majority of domains on pre-release Pending delete domains can be re-registered as soon as lists is not sold but deleted, which causes those domains to the domain exits the pending delete status. We can detect ultimately appear on pending delete lists. Our pre-release a re-registration by a creation date that is on or after the lists are more than half the size of the pending delete “drop date” from the pending delete lists. If a domain is re- lists, with the largest part of the difference likely due to registered on the same day that the previous registration registrars that do not offer any pre-release sales at all. was deleted, we call it a 0-day drop-catch re-registration. This paper analyses ownership transfers of expiring or deleted domains, which implies a bias towards domains of lesser value. Highly valuable domain names are likely to be sold directly rather than expiring due to non-renewal.

3.2.2 TASTING: Drop-Catch Domain Tasting 4 Analysis Domain tasting registrations are active for a maximum of five days, the duration of the add grace period, before We begin our analysis by providing context for expiring they are deleted. Since the two-week measurement fre- domains. According to ICANN’s registry reports, 2.2 M quency in the MAIN data set cannot reliably find every com domains were deleted in August 2016, which corres- instance of tasting registrations, we discarded any such ponds to 1.7 % of all registered com domains, as shown observation from that data set to retain only “surviving” in Table3. In contrast, about 2.6 M com domains were registrations, and we designed a separate experiment to added during the same period, hinting at a constant and measure tasting. Specifically, for the TASTING experi- sizeable turnover in registered domains. While some of ment’s seed time of one week in late January 2017, we the added domains were never registered before, many are extracted Whois records for all domains from the pending re-registrations of old domains. In this paper, we focus on delete lists three times at fixed delays: Three days before drop-catch domains that are re-registered on day 0, that the deletion date to observe the registration instance that is, on the deletion day of the old registration. was about to be deleted, one day after the deletion date Some expired domains may be available even before to observe any drop-catch re-registration, including short- they are deleted, and our pre-release lists (Table1) advert- lived tasting registrations, and six days after the deletion ise around 1.2 M com domains over a period of 28 days. date to find out whether a drop-catch re-registration had The large number of expiring domains that can be ac- been cancelled (due to tasting) or remained active. quired by means of an ownership transfer instead of a

USENIX Association 26th USENIX Security Symposium 871 Zone com net org biz name ing the same time span in the com, net, and org zones, Dynadot 17.1 % 32.9 % 13.7 % 22.4 % 27.8 % and less than half for biz. While pre-release lists are 1.9 k 607 176 175 biased towards participating registrars, and only domains GoDaddy 5.31 % 3.33 % 4.06 % 2.21 % 0.65 % not sold during the pre-release phase ultimately appear 30.5 k1 .9 k2 .0 k 1641 on a pending delete list, the pre-release domains available NameJet 9.89 % 7.63 % 6.81 % 4.84 % − 27.1 k2 .4 k1 .5 k 134 − through the four services make up a sizeable portion of SnapNames 3.39 % 2.41 % 2.59 % 1.57 % − the entire expiring domain inventory. It is worth invest- 11.1 k 9811 .1 k 160 − igating how many of them are sold pre-release instead of becoming available as pending delete domains. Table 4: Pre-release domains not deleted (likely sold) per platform. Since purchases of pre-release domains are guaran- teed and the prices sometimes lower than drop-catch re- re-registration illustrates that security mechanisms should registrations, one might expect to observe a higher frac- avoid relying exclusively on creation-time features to tion of pre-release sales than drop-catch re-registrations. detect potential ownership changes. To conclude this However, the numbers in Table4 do not support such a overview, Table2 shows that the number of domains on general trend. In nearly all zones, Dynadot and NameJet pending delete lists supplied by drop-catch services is in sell a larger fraction of their inventory than the corres- line with the official statistics from the ICANN reports. ponding re-registration rates one month after deletion. Therefore, we can rely on these pending delete lists to GoDaddy and SnapNames, on the other hand, sell a con- discover the domains that are about to be deleted. siderably lesser fraction—GoDaddy has the largest inventory of domains but sells only 5.31 % of their pre-release com domains, which is half the percentage of overall com 4.1 Demand for Expired Domains drop-catch re-registrations on the deletion day. Using the predicted deletion dates from the pending de- Pre-release domains that are not sold are marked for delete lists (in the MAIN data set), we find that 10.1 % of letion and will appear on pending delete lists. While one all deleted com domains are re-registered on the same may suspect that the availability of pre-release domains day, that is, the earliest possible day for a re-registration. of a registrar might have a negative affect on drop-catch Smaller zones also exhibit smaller fractions of same-day re-registrations, we did not find any clear difference in re-registration at 6.6 % of net, 4.7 % of org and 1.8 % of re-registration rates of registrars that offer pre-release biz. Our results suggest that re-registrations are not only domains compared to others that do not. In fact, we ob- a common phenomenon in general, but also one driven by served a surprisingly frequent phenomenon of pre-release enough competition to cause re-registrations to happen as domains that were not sold initially, but re-registered as early as possible. The deletion day has the highest daily drop-catch domains once they had been deleted. rate of re-registrations. For instance, after the 10.1 % on the deletion day, it takes about one month until the next 4.2 Competitiveness of Re-Registrations 5 % of deleted com domains are re-registered. Given that many buyers appear to be interested in gain- To gain a better understanding of how domains are re- ing access to a domain name as soon as possible, we registered on their deletion day (and verify the third-party look at the sales of pre-release domains, which are avail- accounts cited in Section 2.3), we need a fine-grained able even before they are deleted. Pre-release domains view of the creation time of the re-registration. Unfortu- are typically exclusive inventory of the selling platform, nately, WHOIS records for com and net domains do not thus competition among prospective buyers would play contain the exact time when the domain was created, but out monetarily in auctions as opposed to a timing-based for org and biz, we can plot domain creations with a technical arms race between competing services. second precision. Figure3 shows the UTC time-of-day The four pre-release domain lists that we use in our creation time of all org and biz re-registrations from the research are slightly different in nature. GoDaddy and pending delete lists separately for the deletion day, that Dynadot are domain registrars themselves and likely sell is, drop-catch re-registrations, and all re-registrations that only their own customers’ expired domains—all com do- happened on a later day. Re-registrations on any day after mains on these two lists were initially registered by only the deletion day are relatively evenly distributed over the 16 and 11 different registrar IDs, respectively. NameJet day with no strong time-of-day effect. Re-registrations and SnapNames, on the other hand, appear to be mar- on the deletion day, however, do not begin until 14:30 ketplaces with a number of collaborating registrars; we for org and 17:00 for biz with around 90 % and 60 % of observed 277 and 263 registrar IDs in their com domains. all re-registrations on that day occurring within the first Taken together, the four pre-release lists contain more 30 minutes. The remaining re-registrations during the re- than half as many domains as the pending delete lists dur- maining time of the day are again evenly distributed. This

872 26th USENIX Security Symposium USENIX Association 1.0 1.0 1.0 Day 0 (org) 0.8 Days 1+ (org) 0.8 0.8 Day 0 (biz) 0.6 0.6 Days 1+ (biz) 0.6

0.4 0.4 0.4

0.2 0.2 0.2 CDF of re-registrations

CDF of re-registrations (day 0) 0.0 0.0 CDF of re-registrations (day 0) 0.0

01:0003:0005:0007:0009:0011:0013:0015:0017:0019:0021:0023:00 14:25 14:26 14:27 14:28 14:29 14:30 14:31 14:32 14:33 14:34 14:35 14:30:00 14:30:10 14:30:20 14:30:30 14:30:40 14:30:50 14:31:00 Registration time (UTC) Registration time (UTC) Registration time (UTC)

Figure 3: CDF of the time of day when domains Figure 4: CDF of re-registration times for org Figure 5: CDF of re-registration times for org from pending-delete lists are re-registered, sep- on day 0 (minute-level detail of Figure3). Ex- on day 0 (second-level detail of Figure4). More arately for day 0 (drop-catch) and any later day. cept for a few outliers, re-registrations begin than half of the deletion day re-registrations oc- Drop-catch re-registrations occur in a spike after at 14:30 and slow down before 14:31 UTC, at cur within the first 30 s; only around 10 % are deletion of the domains, whereas regular re- which point more than 60 % of the deletion day re-registered during the following 30 s. registration times are more evenly distributed. re-registrations have already occured. suggests that the drop process of org and biz is similar of net and org similarly use many times more registrar to the one reported for com and net. In other words, all IDs on day 0 as opposed to the entire period after the dele- domains scheduled to become available for re-registration tion day. At the same time, re-registrations on day 0 only on a given day do so within a brief “drop” interval. account for between half and two thirds of all observed re- Figure4 contains a minute-precision detail of the same registrations. This illustrates that disproportionately more plot for org re-registrations on day 0 and shows that over resources are utilised for 0-day re-registrations. Consider, 60 % of the day’s re-registrations occur in the minute for instance, that the 1,745 registrar IDs correspond to between 14:30 and 14:31. Figure5 zooms in even further a daily median of only 7.7 k com 0-day re-registrations. to a second-level precision and reveals that more than half For biz, the trend is inverse with only 34 registrar IDs of the day’s re-registrations occur within the first half of used on the deletion day compared to 94 afterwards; this the first minute; only around 10 % are re-registered during is another indicator that the biz drop is less competitive. the following 30 s. The high density of re-registrations during a very short time period hints at how competitive The higher number of registrar IDs in use for deletion- the re-registration race is. For instance, manual attempts day re-registrations goes in hand with a much lower skew to re-register a sought-after domain on its deletion day towards the most active IDs. According to Figure6, the rather than paying for a drop-catch service will likely fail. 10 most active registrar IDs on the deletion day account Re-registrations on day 0 for biz are significantly for only 20 % of same-day re-registrations. While the 90 slower than org, with about 50 % in the first five-minute next registrar IDs together hold the same market share, interval and roughly 20 % during the next 30 minutes. The there is significant weight in the middle ranks as half of lower re-registration speed may be an indicator for lower the registrar IDs (ranks 100 – 1000) account for over half interest in biz re-registrations. In fact, biz is the smallest of deletion-day re-registrations. This effect cannot be of the four zones with pending delete domains analysed observed at all for re-registrations after the deletion day in this paper, and it is decreasing in size (Table3). (Figure7), where the top 10 registrar IDs alone account To further investigate how many resources are dedic- for almost three quarters of re-registrations. The more ated to re-registrations, we compare the number of re- equal distribution of deletion-day re-registrations over gistrar IANA IDs used for re-registrations on day 0 as registrar IDs suggests a tight competition where the top opposed to any later day. Registrar IDs are used in WHOIS performers hold a small but not overwhelming advantage. records to identify the sponsoring registrar of a domain, but there is no 1:1 mapping to companies since a regis- The high number of registrar IDs on the deletion day trar could use multiple IDs (e.g., due to acquisitions of is centred around the time of the drop, as illustrated in other registrars), and it has been reported that drop-catch Figure8. Within the first 30 s after the drop, hundreds of services use multiple credentials in order to increase their registrar IDs are being used each second, but after around success rate during the drop [8, 28]. Indeed, we find that 15 minutes this number already decreases to fewer than re-registrations of com, net and org domains on day 0 are 10 registrar IDs per minute. This suggests that the 0-day carried out with a very large diversity of registrar IDs. For distribution in Figure6 is dominated by the drop, and that instance, we observed a total of 1,745 registrar IDs for the remainder of the day may be more akin to the post- com 0-day domains, but only 308 registrar IDs for com re- deletion day distribution in Figure7, with the additional registrations on any later day combined. Re-registrations resources being deployed only for the time of the drop.

USENIX Association 26th USENIX Security Symposium 873 1.0 1.0

0.9 0.8 0.8

0.6 0.7 0.6

0.4 0.5 com (1745) com (308) 0.4 0.2 net (1484) net (233) org (478) 0.3 org (171) biz (34) biz (94) CDF of re-registered domains (day 0) 0.0 CDF of re-registered domains (days 1+) 0.2 0 1 2 3 4 0 1 2 3 10 10 10 10 10 10 10 10 10 Registrar rank Registrar rank

Figure 6: CDF of deletion day domain re-registrations per registrar ID Figure 7: CDF of domain re-registrations after the deletion day per ranked by re-registration volume (log scale). The 10 most active registrar registrar ID ranked by re-registration volume (log scale). The 10 most IDs are responsible for 20 % of com re-registrations on day 0. active registrar IDs account for 74 % of com re-registrations on days 1+.

103 • Drop-catch registrars are rarely on the receiving end of domain transfers between registrars, as most transfers are away to another registrar. For the regular registrars OVH (433), Gandi (81) and GoDaddy, 2 10 27.6 %, 35.8 % and 55.7 % of all domain transfers were outbound, whereas the percentage was 100 % for Pheenix and SnapNames. These registrar IDs ap-

101 pear to be used for creations of drop-catch domains,

# Registrar IDs (org) but not for management of regular domains. • The success ratio of attempted domain creations is very low for drop-catch registrars, with a large major- 100 ity of domain creations failing. The sample registrar 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00 23:00 IDs of Pheenix and DropCatch had success rates of Registration time (UTC) 0.05 % whereas GoDaddy’s success ratio was 71.7 % Figure 8: Histogram of distinct registrar IDs observed for org re- and Gandi’s was 99.3 %. This confirms accounts of registrations during one-minute intervals on the deletion day (log scale). the drop, when the registry systems are flooded with The number rapidly decreases from hundreds of registrar IDs used speculative domain creation requests, most of which directly after the drop to just a few per minute half an hour later. fail because the domain is not yet available, or has already been re-registered by a competitor. 4.3 Drop-Catch Registrar Characteristics Especially the latter point has implications for the do- We now show that the characteristics of registrars enga- main registration systems managed by the registries. In ging in drop-catch re-registrations can be very different August 2016, more than 99.9 % of all attempted domain from regular registrars. To that end, we compute met- creations in the com zone failed. Conservatively estimated, rics from ICANN’s registry transaction report for com in at least 80 % of all attempts can be attributed to failed August 2016 and make the following observations: drop-catching, which means that drop-catch services are • Domain creations by drop-catch registrars are typic- responsible for a very large majority of all domain cre- ally for a one-year duration, whereas other registrars ation requests received by Verisign, the com registry. often have a higher fraction of domains paid in ad- The large number of registrar IDs engaging in drop- vance for up to ten years. For example, 30.8 % of do- catch found in Section 4.2 does not correspond to thou- main creations by GoDaddy’s registrar 146 were for sands of independent drop-catch services, but rather some two or more years, whereas the drop-catch registrars drop-catch services using large numbers of registrar IDs. 627 (Pheenix), 635 (SnapNames) and 1570 (Drop- To better characterise the drop-catch ecosystem, we need Catch) created only one-year registrations. This sug- to find out which registrar IDs collaborate and which gests a lower willingness of up-front investments to ones compete. To that end, we group the individual re- commit to domain names in the long term. gistrar IDs found on the complete IANA list in February

874 26th USENIX Security Symposium USENIX Association Name IDs % 3 SnapNames.com 10 1 DropCatch.com 1252 42.6 % Pheenix.com 2 Pheenix.com 498 16.9 % GoDaddy.com 3 SnapNames.com 466 15.8 % Enom.com 4 LogicBoxes.com 53 1.8 % 2 5 MyDomain.com 43 1.5 % 10 Name.com 6 XZ.com 21 0.7 % DropCatch.com 7 Name.com 19 0.6 % 8 Dynadot.com 19 0.6 % 1 9 22.cn 16 0.5 % # Registrar IDs 10 (total) 2387 81.1 %

0 Table 5: All clusters with more than 10 registrar IDs as of Feb. 2017. 10 The Top 3, all drop-catch services, control 75 % of accredited registrars. 2009-01 2010-01 2011-01 2012-01 2013-01 2014-01 2015-01 2016-01 2017-01 Month

2017 into clusters likely belonging to the same company Figure 9: Historical perspective on cluster size in terms of registrar when they share the same ofﬁcial contact email address IDs, from ICANN com reports until February 2017. Drop-catch services increased their size, whereas regular registrar clusters remained constant. or phone number, or if their name differs only by a number. For instance, the list contains 1,201 IDs with names n n 6 “DropCatch.com LLC”, where is a number. Another 10 cluster contains names that look similar to the human eye, GoDaddy.com SnapNames.com 5 such as “Charlemagne 888, LLC,” “George Washington 10 DropCatch.com 888, LLC,” and “Napoleon Bonaparte, LLC”—these are Enom.com 4 Name.com grouped because of their contact information and belong 10

3 Pheenix.com to the drop-catch service Pheenix. Almost 92 % of the 10 clusters consist of a single registrar ID, but a small number 2 of clusters is very large. Table5 shows all nine clusters 10 # Domains created with more than ten registrar IDs. Their sizes correspond 1 to what was previously reported by specialised online 10

0 media [38, 39]. Overall, the clusters comprising more 10 than ten registrar IDs account for more than 81 % of all 0 1 2 3 10 10 10 10 registrar IDs on the IANA list, and the Top 3, all drop- # Registrar IDs catch services, account for three quarters of all accredited registrars. (In contrast, as shown in Table3, drop-catch Figure 10: Cluster size vs. domain creations in February 2017. Reg- ular registrars such as GoDaddy or Enom have high numbers of total services do not register such a large share of domains—at creations using very few registrar IDs, whereas drop-catch services such most 9.5 % of successful com domain creations each day as SnapNames or DropCatch have an order of magnitude fewer domain can be attributed to drop-catch re-registrations.) Note creations but use almost two orders of magnitude more registrar IDs. that our clustering groups only registrars with evident similarities in their names or contact information. Some drop-catch services are said to have agreements with inde- It is important to keep in mind that maintaining a large pendent registrars to use their credentials for the duration number of registrar IDs is not at all necessary in order of the drop. Therefore, these clusters likely underestimate to register large numbers of domains. Figure 10 plots all the true “horse power” of drop-catch services. clusters in terms of the number of domains registered in To gain a historical perspective, we search ICANN’s February 2017, and the number of active registrar IDs of registry transaction reports for the ﬁrst time a registrar ID the cluster in the same month. GoDaddy registered by far has been observed to register domains (in the com zone). the most domains, but used fewer than ten registrar IDs. Figure9 shows that regular domain registrars such as Drop-catch services such as SnapNames or DropCatch, GoDaddy maintain a constant or only modestly increasing on the other hand, used large numbers of registrar IDs to number of registrar IDs, whereas drop-catch clusters grow re-register relatively few domains. According to ICANN, over two orders of magnitude in an apparent arms race maintaining a registrar ID costs more than USD 4,000 in among drop-catch services [38, 39]. Note that the plot yearly fees alone [25], which amounts to several million only shows cluster size increases due to newly allocated dollars per year for the largest clusters. This suggests that registrar IDs because we always apply the February 2017 controlling a large number of registrar IDs is considered clustering. As a result, initially independent registrars that a prerequisite to success in the competitive drop-catch were later acquired and became part of a larger cluster are business—but it also suggests that drop-catch services shown as part of that cluster from the beginning. expect the generated revenue to justify the investment.

USENIX Association 26th USENIX Security Symposium 875 1.0 not refer to when the auction ended, but to when the list was compiled by the service the morning or night before. 0.8 Since auctions tend to be busiest just before they conclude, our data does not allow us to characterise the ﬁnal prices

0.6 of pre-release sales. Instead, we use it to investigate how early customers start bidding on expiring domains.

0.4 Surprisingly, at our latest observation point, nearly all ultimately sold pre-release domains are still at the starting price. For instance, only 8.9 % of Dynadot’s sold 0.2 com (3232) CDF of drop-catch domains net (721) com domains have an observed price higher than the start- org (1472) ing price. However, there are some outliers, such as a 0.0 2 3 4 GoDaddy com domain listed at $ 64,888. The relatively 10 10 10 Last observed bid (USD) low proportion of sold domains along with auctions that are still inactive on the day before a domain is sold sug- Figure 11: CDF of the last observed bids for successfully acquired gest a lower competition among buyers of pre-release drop-catch domains with multiple backorders on DropCatch (February domains compared to drop-catch domains. to June 2017). Most auctions remain close to the starting price, whereas a few exceed one thousand US dollars. The curve for org is shifted to From a buyer’s perspective, certain premium-priced the left because of a promotion ($ 15 starting price instead of $ 59). pre-release and drop-catch domains must appear more attractive than regularly-priced domains that are freely available for registration. The desirability of a name is 4.4 Value and Use of Drop-Catch Domains difficult to measure. Therefore, we focus on two metrics that relate directly or indirectly to the number of visitors As of 2017, a regular com registration costs around $ 15 that a domain is expected to receive due to its past history. per year; a drop-catch re-registration can cost $ 60 to $ 80. Drop-catch re-registrations appear to be correlated to When multiple customers backorder the same domain, the traffic data reported by the pending delete lists, as the winner is usually determined in a three-day private over 80 % of com domains with more than 100 k visit- auction. DropCatch, however, conducts these auctions ors are re-registered on the deletion day as opposed to in public. We extracted the current bid around 3.5 hours 50 % of domains with 10 k – 100 k visitors, or 5 % of do- before the end of each auction during five months in early mains with fewer than 1 k reported visitors. We observe 2017. Figure 11 shows that a majority of auctions re- a similar trend for the age of the domain, with those that mained close to the starting price, whereas 3.9 % of com had been registered for a longer time period being more auctions exceeded one thousand dollars. Overall, Drop- likely to be re-registered immediately after deletion. This Catch successfully re-registered an average of 2773 com phenomenon is in line with our prior findings [29]. domains per day in early 2017 (Table6). It appears that Similarly to drop-catch domains, pre-release domains only a small fraction of those domains received back- that are reported to receive more traffic or that have orders by multiple interested customers, as the median already been registered for longer time spans are more number of auctions was 21 per day for com, 5 for net, and likely to be sold than other domains. For instance, Dyn- 10 for org (the latter likely due to an ongoing promotion). adot and GoDaddy com domains that were sold had a Our observation 3.5 hours before the end only allows us median registration length of four years as opposed to to give an approximate lower bound on the daily auction one year for Dynadot’s com domains that were not sold revenue with a median of $ 4108 for com, $ 382 for net as pre-release (GoDaddy: 2 years). A long registration and $ 254 for org. Based on a starting price of $ 59, the period however does not guarantee that a domain will be com drop-catch domains sold without an auction yielded sold, as we observed GoDaddy domains over 20 years old an estimated daily revenue of $ 162 k. In comparison, the in both the sold and not sold categories. 1252 registrar IDs controlled by DropCatch represent a To provide a first cursory overview of what re- daily fixed cost of at least $ 13.7 k, or approximately $ 5 registered websites are being used for, we conduct a per sold com domain (ignoring other costs and domains). small-scale manual classification of websites. We inspect Pre-release sales, in contrast, are carried out at compar- a random sample of 50 drop-catch domains six months atively minor cost to the registrars since they already man- after the re-registration, and find that 23 are parked and age the domain and can return it to the registry without display a “for sale” message or textual advertising; nine any fee if it is not sold during the grace period. The sites contain advertising for online casinos, one is ma- pre-release lists often contain metadata about the current licious, two are empty, and eight cannot not be loaded auction state of each domain, such as the number of bid- due to an error. Even though just a superficial analysis, ders and the current price. Unfortunately, the data does it appears that only a small minority of the re-registered

876 26th USENIX Security Symposium USENIX Association sites contain any useful content, while a majority attempt 2016 (4 weeks) 2017 (1 week) to monetise incoming traffic in a rather generic way. We 1 DropCatch.com 87437 Aliyun.com 20208 2 SnapNames.com 40552 DropCatch.com 19411 are planning to further explore this topic in future work, 3 XZ.com 20104 SnapNames.com 7623 and focus this paper on how domains are re-registered. 4 West.cn 8854 LogicBoxes.com 2201 5 GoDaddy.com 7389 Onamae.com 1069 6 Onamae.com 6573 XZ.com 875 7 DNS.cn 4935 GoDaddy.com 875 4.5 Comparison of Drop-Catch Services 8 BizCN.com 4553 West.cn 808 9 Oray.com 4031 BizCN.com 432 To better compare the relative performance of drop-catch 10 CNDNS.com 3200 OpenSRS.com 384 services, we rank the most active clusters of registrar IDs according to com re-registrations on the deletion day Table 6: The Top 10 clusters according to deletion-day re-registrations of com in 2016 and 2017 (MAIN and TASTING data sets, respectively). (Table6). In 2016, DropCatch dominated the ranking There is some variation between the years, and the deletion-day rankings with more than twice as many drop-catch re-registrations are very different from general domain name registrations (not shown). as SnapNames, the cluster ranked second. Due to a lack of visibility into registration times, we cannot distinguish between domains re-registered during regarding a drop-catch service that might be operated by the drop and those that were still re-registered on the de- the same corporate entity. At the same time, some well- letion day, but after the drop. GoDaddy, for instance, known drop-catch services such as Pool are not among is ranked fourth in deletion day re-registrations in 2016. the most highly ranked clusters, which leads us to believe While GoDaddy does accept domain backorders, it is un- that we cannot currently characterise their performance likely that all 11 k deletion-day re-registrations occurred due to the limitations inherent in our methodology. during the competitive drop, given that the GoDaddy cluster consists of only seven registrar IDs. It is more 4.6 Domain Tasting likely that these domains were re-registered after the drop, and their relatively large number may be due to ICANN considers domain tasting a “profit-making abuse GoDaddy’s position as the most popular domain registrar of the domain name system” [26] and discourages it by overall. Similarly, in 2017, the Alibaba cluster with only allowing each registrar only a limited number of free do- two registrar IDs is ranked first, before the DropCatch main deletions during the initial five-day add grace period cluster with 1252 registrar IDs. Indeed, certain domain after domain creation. Traditionally, domain tasting has name speculators appear to leverage reseller APIs to re- been understood as a way for the domain registrant to register domains on the deletion day (e.g., using desktop test how much traffic the domain receives before deciding software [41]). While the cost is comparable to regular whether to keep or return it (e.g., [6]). However, we show domain registrations, such “do-it-yourself” drop-catching that domain tasting can also be used for a similar purpose is expected to succeed only for relatively non-competitive as the auto-renew grace period in the case of pre-release domains not targeted by the large drop-catch services. domain sales. That is, a service can use the add grace The relative ranking of the known drop-catch services period to attempt selling a domain to a customer and DropCatch, SnapNames and Pheenix remains the same return it to the registry for free if no sale is made. in our 2016 and 2017 data. An interesting observation The restrictions imposed by ICANN affect only regis- is that Pheenix added 300 registrar IDs in late 2016 [39] trars with a high ratio of domain deletions per registrar ID. and controlled more registrar IDs than SnapNames during Drop-catch services, however, already need to maintain a our 2017 measurement. However, Pheenix is ranked only high number of registrar IDs in order to compete in the eleventh with 301 re-registrations, as opposed to Snap- drop. In absolute terms, they could delete a high num- Names with 7623 on rank three. Even before the increase, ber of domains for free while staying below ICANN’s Pheenix re-registered fewer domains per registrar ID than thresholds on a per-registrar ID basis. We designed the DropCatch or SnapNames, suggesting that Pheenix may TASTING experiment to specifically measure domain tast- be less efficient in using their registrar IDs. ing among domains re-registered on the deletion day of Despite the widely supported recommendation that cus- the prior registration. We find that domain tasting is re- tomers place backorders with all services [7, 12, 31], we latively uncommon. Only about 2.1 % of com domains do not know how many customers follow this advice, thus re-registered on the deletion date (and much fewer in the our findings should not be seen as a comparison of how other zones) are deleted within the first five days. How- successful drop-catch services are in fulfilling their cus- ever, we find that SnapNames is responsible for over tomers’ orders. Furthermore, our clustering cannot group 98 % of all domain tasting among drop-catch domains. registrar IDs that collaborate during the drop without ex- Upon closer inspection, we find that SnapNames’ web- hibiting any clear administrative relationship. For some site features a file of domain names “in auction,” which of the clusters, we could not find any public information appears to contain only domain names that were recently

USENIX Association 26th USENIX Security Symposium 877 re-registered during the drop, and that all have an active the drop-catch service with most technical resources and website with a parking page during the three-day duration the best insight into details of the drop is going to be most of the auction. When checking the registration status of successful in re-registering deleted domains for their cus- these domains a week later, we find that 41.2 % of the tomers. However, the uncertainty of this process and lack domains have been deleted. We suspect that SnapNames of transparency as to which service is most successful res- proactively registers domain names during the drop, even ult in the common recommendation that customers place without having received a specific backorder from a cus- orders with all services [7, 12, 31]. The re-registration tomer, and deletes these names if they do not find a buyer. race is open to all registrars, and manual re-registration is at least a theoretical possibility, but it is quite wasteful 4.7 Summary of resources as drop-catch services cause a daily flood of requests as a byproduct of determining the next owner. • Domain ownership can change fast, and often: 10 % Pre-release domain sales typically take place as auc- of com, and 5 % of org domains are re-registered tions, thus they are efficient from a technical point of view. on the same day as the old registration is deleted. However, there are administrative concerns, as pre-release Domain-based trust mechanisms should anticipate sales do not allow buyers to freely choose their registrar, ownership changes as a common, expected event. prevent the former domain owner from using the 30-day • Pre-release sales allow ownership changes without redemption period to recover the expired domain, and implication of the prior owner and maintain the old might incentivise registrars to make late domain renewals registration: Expired domains as old as 20 years more difficult (or expensive) for their customers because are available with comparatively little competition. of the potentially more lucrative pre-release sales. Anti-abuse tools may need improved detection of From a security perspective, domain ownership ownership changes that are not re-registrations. changes are problematic because of their potential to • Drop-catch services have a significant impact on break domain-based trust mechanisms [44], abuse resid- the domain name registration system: The Top 3 ual trust [33], and more generally profit from residual account for 75 % of all accredited registrars, and traffic in various ways that are not necessarily illegal, drop-catch is responsible for over 80 % of all domain but often undesirable. While banning domain ownership creation attempts, yet results in no more than 9.5 % changes altogether may not be practicable, we argue that of successful com domain registrations. Drop-catch the process should be made more transparent. State-of- consumes a disproportionate share of resources. the-art anti-abuse systems may find it challenging to detect domain ownership changes such as pre-release sales • Drop-catch re-registrations are highly competitive: because they do not result in a new domain creation. As Half of org’s same-day re-registrations occur within a policy-based approach, registrars could be required to 30 s of the drop (biz: within 5 min of the drop), and maintain a public log of ownership changes, similar to 0-day re-registrations have the highest diversity and Certificate Transparency [30], so that security mechan- most evenly distributed market share of registrar IDs. isms can “reset” trust in a reliable way: Whitelists can High demand for certain expired domains and the drop domains after certain changes of ownership, web willingness to pay premium prices sustain an entire browsers can purge cached website permissions, and web- industry dedicated to “recycling” old domains. sites can remove links pointing to a deleted domain. • Only few drop-catch domains are put to “good” use: What exactly drives that demand for expired domain Most seem to contain nothing but advertisements and names, whether it is intended “productive” use, abuse [22, parking pages to profit from residual traffic. Many 33], monetisation through advertising [48], or speculation if not most drop-catch re-registrations may be of with the goal of reselling the domain name, is still an open limited value to the Internet community as a whole. question, and an interesting direction for future work.

5 Discussion & Conclusions Acknowledgements

Our analysis has shown that there is signiﬁcant demand The authors would like to thank Farsight Security and for expired domain names (e.g., over 10 % of all com Manuel Egele for providing valuable database access and domains re-registered immediately on the day that they computing resources to carry out the measurements. were deleted), and that there is a highly competitive envir- onment of drop-catch services that race to be the ﬁrst to re-register a domain in the very instant that it is deleted References

(e.g., over half of org re-registrations on the deletion day [1] AGTEN, P., JOOSEN, W., PIESSENS, F., AND NIKIFORAKIS, take place within a 30 s time frame). In the current system, N. Seven Months’ Worth of Mistakes: A Longitudinal Study of

878 26th USENIX Security Symposium USENIX Association Typosquatting Abuse. In Network and Distributed System Security [22] HAO,S.,THOMAS,M.,PAXSON, V., FEAMSTER,N., Symposium (2015). KREIBICH,C.,GRIER,C., AND HOLLENBECK,S. Understand- ing the Domain Registration Behavior of Spammers. In ACM [2] ALRWAIS,S.,YUAN,K.,ALOWAISHEQ,E.,LI,Z., AND WANG, Internet Measurement Conference (2013). X. Understanding the Dark Side of Domain Parking. In USENIX Security Symposium (2014). [23] IANA. Registrar IDs. https://www.iana.org/ assignments/registrar-ids/registrar-ids.xhtml. [3] BACKORDERZONE. Namepal Backorders. https://www. backorderzone.com/pending/download/#advanced. [24] ICANN. Monthly Registry Reports. https://www.icann. org/resources/pages/registry-reports. [4] BACKORDERZONE. BackorderZone.com is for Sale. https://web.archive.org/web/20160527215205/http: [25] ICANN. Registrar Accreditation: Financial Consid- //www.backorderzone.com/for-sale.html, 2016. erations. https://www.icann.org/resources/pages/ financials-55-2012-02-25-en. [5] CHACHRA,N.,MCCOY,D.,SAVAGE,S., AND VOELKER,G.M. Empirically Characterizing Domain Abuse and the Revenue Im- [26] ICANN. The End of Domain Tasting — AGP Deletes Decrease pact of Blacklisting. In Workshop on the Economics of Information 99.7 %. https://www.icann.org/news/announcement- Security (2014). 2009-08-12-en, 2009.

[6] COULL,S.E.,WHITE,A.M.,YEN, T., MONROSE, F., AND [27] ICANN. The End of Domain Tasting — Status Report on AGP REITER,M.K. Understanding Domain Registration Abuses. (Add Grace Period) Measures. https://www.icann.org/ Computers and Security 31, 7 (2012), 806–815. resources/pages/agp-status-report-2009-08-12-en, 2009. [7] CYGER,M. List of Domain Name Backorder Ser- [28] JACKSON,R. Inside a Drop Catcher’s War Room: How vices. http://www.domainsherpa.com/domain-name- Enom Arms Maker Chris Ambler Is Turning The Tide backorder-services/, 2013. for Club Drop. http://www.dnjournal.com/columns/ [8] CYGER,M. A Drop Catching Programming Expert Dis- cover080504.htm, 2004. cusses the Domain Name Expiration Process - With Chris Am- [29] LAUINGER, T., ONARLIOGLU,K.,CHAABANE,A., bler. http://www.domainsherpa.com/wp-content/pdf/ ROBERTSON, W., AND KIRDA,E. WHOIS Lost in Trans- Chris-Ambler-Expiration-on-DomainSherpa.pdf, 2016. lation: (Mis)Understanding Domain Name Expiration and [9]D OMAIN GRAVEYARD. http://domaingraveyard.com/. Re-Registration. In ACM Internet Measurement Conference (2016). [10] DOMAINMONSTER. Expired Domains. https://www. domainmonster.com/expired-domains/. [30] LAURIE,B.,LANGLEY,A., AND KASPER,E. RFC 6962: Certificate Transparency. https://tools.ietf.org/html/ [11] DROPCATCH. Download Center. https://www.dropcatch. rfc6962. com/DownloadCenter. [31] LEIGHTON, T. SnapNames Domain News and [12] DROPCATCH. FAQs – Should I place orders with DropCatch.com Views: Best Practices for Getting Names on the Drop. as well as other drop catch services? https://www.dropcatch. http://domains.snapnames.com/2016/03/25/best- com/HowItWorks/Faq#orderswithothers. practices-for-getting-names-on-the-drop/, 2016. [13] DROPCATCH. How it Works: Daily Drop Overview. https: [32] LEVCHENKO,K.,PITSILLIDIS,A.,CHACHRA,N.,ENRIGHT, //www.dropcatch.com/HowItWorks/Overview. B.,FELEGYHAZI´ ,M.,GRIER,C.,HALVORSON, T., KANICH, [14] DYNADOT. Domain Backorders. https://www.dynadot.com/ C.,KREIBICH,C.,LIU,H.,MCCOY,D.,WEAVER,N.,PAX- market/backorder/. SON, V., VOELKER,G.M., AND SAVAGE,S. Click Trajectories: End-to-End Analysis of the Spam Value Chain. In IEEE Sym- [15] GANDI.NET. Renewal, restoration, and deletion times. posium on Security and Privacy (2011). https://wiki.gandi.net/en/domains/renew#renewal_ restoration_and_deletion_times. [33] LEVER,C.,WALLS,R.J.,NADJI, Y., DAGON,D.,MCDANIEL, P., AND ANTONAKAKIS,M. Domain-Z: 28 Registrations Later [16] GODADDY. Auctions. https://auctions.godaddy.com/ – Measuring the Exploitation of Residual Trust in Domains. In ?countryview=1. IEEE Symposium on Security and Privacy (2016). [17] GODADDY. What happens after domain names ex- [34] LIU,S.,FOSTER,I.,SAVAGE,S.,VOELKER,G.M., AND SAUL, pire? https://www.godaddy.com/help/what-happens- L.K. Who is .com? Learning to Parse WHOIS Records. In ACM after-domain-names-expire-6700. Internet Measurement Conference (2015). [18] HALVORSON, T., DER, M. F., FOSTER,I.,SAVAGE,S.,SAUL, [35] MARICONTI,E.,ONAOLAPO,J.,AHMAD,S.S.,NIKIFOROU, L.K., AND VOELKER,G.M. From .academy to .zone: An Ana- N.,EGELE,M.,NIKIFORAKIS,N., AND STRINGHINI,G. Why lysis of the New TLD Land Rush. In ACM Internet Measurement Allowing Profile Name Reuse Is A Bad Idea. In European Work- Conference (2015). shop on System Security (2016). [19] HALVORSON, T., LEVCHENKO,K.,SAVAGE,S., AND [36] MARICONTI,E.,ONAOLAPO,J.,AHMAD,S.S.,NIKIFOROU, VOELKER,G.M. XXXtortion? Inferring Registration Intent N.,EGELE,M.,NIKIFORAKIS,N., AND STRINGHINI,G. in the .XXX TLD. In World Wide Web Conference (2014). What’s in a Name? Understanding Profile Name Reuse on Twitter. [20] HALVORSON, T., SZURDI,J.,MAIER,G.,FELEGYHAZI´ ,M., In World Wide Web Conference (2017). KREIBICH,C.,WEAVER,N.,LEVCHENKO,K., AND PAXSON, [37] MOORE, T., AND EDELMAN,B. Measuring the Perpetrators and V. The BIZ Top-Level Domain: Ten Years Later. In Passive and Funders of Typosquatting. In Financial Cryptography and Data Active Measurement Conference (2012). Security (2010). [21] HAO,S.,KANTCHELIAN,A.,MILLER,B.,PAXSON, V., AND [38] MURPHY,K. DropCatch spends millions to buy FIVE HUN- FEAMSTER,N. PREDATOR: Proactive Recognition and Elimina- DRED more registrars. http://domainincite.com/21309- tion of Domain Abuse at Time-Of-Registration. In ACM Confer- dropcatch-spends-millions-to-buy-five-hundred- ence on Computer and Communications Security (2016). more-registrars, 2016.

USENIX Association 26th USENIX Security Symposium 879 [39] MURPHY,K. Pheenix adds 300 more registrars to drop-catch arsenal. http://domainincite.com/21365-pheenix-adds- 300-more-registrars-to-drop-catch-arsenal, 2016. [40] NAMEJET. Downloads. http://www.namejet.com/Pages/ Downloads.aspx. [41] NAMEPROS. DesktopCatcher software. https: //www.namepros.com/threads/desktopcatcher- software.873819/, 2015. [42] NIKIFORAKIS,N.,INVERNIZZI,L.,KAPRAVELOS,A., VAN ACKER,S.,JOOSEN, W., KRUEGEL,C.,PIESSENS, F., AND VIGNA,G. You Are What You Include: Large-scale Eval- uation of Remote JavaScript Inclusions. In ACM Conference on Computer and Communications Security (2012). [43] POOL. Pending Delete List. http://www.pool.com/ viewlist.aspx. [44] SCHLAMP,J.,GUSTAFSSON,J.,WAHLISCH¨ ,M.,SCHMIDT, T. C., AND CARLE,G. The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire. In In- ternational Workshop on Trafﬁc Monitoring and Analysis (2015). [45] SNAPNAMES. Auction Lists. https://snapnames.com/ download.jsp. [46] SNAPNAMES. Top Registrar Domains. https://snapnames. com/download.jsp. [47] SZURDI,J.,KOCSO,B.,CSEH,G.,SPRING,J.,FELEGYHAZI´ , M., AND KANICH,C. The Long “Taile” of Typosquatting Domain Names. In USENIX Security Symposium (2014).

[48] VISSERS, T., JOOSEN, W., AND NIKIFORAKIS,N. Parking Sensors: Analyzing and Detecting Parked Domains. In Network and Distributed System Security Symposium (2015).

[49] WANG, D. Y., SAVAGE,S., AND VOELKER,G.M. Juice: A Longitudinal Study of an SEO Botnet. In Network and Distributed System Security Symposium (2013).

[50] WEAVER,N.,KREIBICH,C., AND PAXSON, V. Redirecting DNS for Ads and Proﬁt. In USENIX Workshop on Free and Open Communications on the Internet (2011).

880 26th USENIX Security Symposium USENIX Association